Groomli — Privacy Policy

Last updated: May 30, 2026

1. Who We Are

Groomli ("we", "us", "our") is a SaaS platform for independent pet groomers, operated by Manuel Frauca, a self-employed professional (autónomo) based in Spain. We are the data controller for the personal data described in this Privacy Policy.

Contact: hello@groomli.app | Website: groomli.app

As a controller established in the European Union, Groomli processes personal data in compliance with Regulation (EU) 2016/679 (GDPR) and applicable Spanish data protection law (Ley Orgánica 3/2018, LOPDGDD).

2. Who This Policy Covers

This Privacy Policy applies to two categories of individuals:

• Groomers: pet grooming professionals who register for a Groomli account ("Groomer Users")
• Clients: pet owners whose appointment details are entered into the platform by a groomer ("Client Users")

Important notice for Groomer Users: When you enter your clients' personal data (name, phone number, email) into Groomli, you become a data controller for that data under GDPR. You are responsible for ensuring you have a lawful basis to share your clients' data with Groomli (e.g. legitimate interest in protecting your business, or explicit consent). Groomli acts as your data processor for client data. See Section 13 (Data Processing Agreement) for details.

3. Data We Collect

3.1 Groomer Users

When you register and use Groomli as a groomer, we collect:

• Name and email address (for account creation and login)
• Business name
• Stripe account ID (for payment processing — we do not store bank details)
• Configuration preferences (no-show fee amount, cancellation window)
• Appointment records you create (client names, services, dates, prices)
• Usage data and logs (login times, actions taken in the dashboard)

3.2 Client Users

When a client confirms an appointment through a Groomli link, we collect:

• Name
• Phone number
• Email address (if provided by the groomer)
• Stripe Customer ID and Payment Method ID (tokenized references — we never store full card numbers)
• Appointment confirmation status and timestamp

We do NOT collect, store, or have access to: full card numbers, CVV codes, or any raw payment card data. All card data is handled exclusively by Stripe under PCI-DSS compliance.

3.3 Automatically Collected Data

When you use the Service, we may automatically collect:

• IP address and browser type
• Pages visited and actions taken within the platform
• Device and operating system information
• Cookies (see Section 9)

3.4 Support and Feedback

When you contact us through the in-app or website support/feedback form, we collect the email address you provide and the contents of your message. We use this solely to respond to you and to improve the Service. The legal basis is our legitimate interest (Art. 6(1)(f)) in answering your request. We do not use it for marketing.

4. Legal Basis for Processing (GDPR)

We process personal data on the following legal bases under Article 6 GDPR:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service to groomer subscribers and to execute appointment confirmation for client users
• Legitimate interests (Art. 6(1)(f)): Processing client data to fulfill the groomer's legitimate interest in protecting their business from no-shows, Groomli's interest in providing and improving the Service, and fraud prevention
• Legal obligation (Art. 6(1)(c)): Where processing is required by applicable law (e.g. tax and accounting records under Spanish law)
• Consent (Art. 6(1)(a)): For any marketing communications, where explicitly obtained

5. How We Use Your Data

We use the data we collect to:

• Create and manage groomer accounts
• Generate and process appointment confirmation links
• Process payments and no-show charges via Stripe
• Send transactional notifications related to appointments and charges
• Provide customer support
• Detect and prevent fraud and abuse
• Comply with legal and tax obligations
• Improve and develop the Service

We do NOT sell your personal data to third parties. We do NOT use your data for advertising purposes on behalf of third parties.

6. Data Sharing and Third-Party Processors

We share data only with trusted third-party processors necessary to operate the Service:

Stripe (stripe.com) Payment processing, card-on-file storage, and payouts. Stripe is PCI-DSS Level 1 certified. Stripe processes data under its own Privacy Policy and as a processor under GDPR. Data may be transferred to the USA under Stripe's Standard Contractual Clauses.

Supabase (supabase.com) Database and authentication hosting. Our Supabase instance is hosted in the European Union (West EU — Ireland region). Supabase processes data under its Privacy Policy and GDPR Data Processing Agreement.

Vercel (vercel.com) Application hosting and deployment. Vercel is SOC 2 Type II certified and processes data under its Data Processing Agreement.

Resend (resend.com) Transactional email delivery (booking confirmations and reminders sent to clients on behalf of the groomer, no-show receipts to groomers, founder welcome emails, support replies). When we send an email, the recipient address, subject, and message body — which may include the client name, pet name, service description, and appointment time — pass through Resend in order to reach the recipient. Resend processes data under its Privacy Policy and as a processor under GDPR. Data may be transferred to the USA under Standard Contractual Clauses.

Meta Platforms, Inc. (meta.com) — only if you consent to marketing cookies If you accept marketing cookies on our public website, the Meta (Facebook) Pixel shares limited browsing and conversion events with Meta to measure and optimise our own advertising. Meta acts as an independent controller for this data under its own Privacy Policy. This happens only after you opt in via our cookie banner, and you can withdraw at any time (see Section 9). Data may be transferred to the USA under Standard Contractual Clauses.

All third-party processors are contractually bound to protect your data and use it only for the purposes we specify. We do not share data with any other third parties without your explicit consent, except where required by law.

7. International Data Transfers

Groomli is operated from Spain (EU). Some of our third-party processors may transfer data outside the EEA (Stripe and Resend in the USA, and — only if you consent to marketing cookies — Meta in the USA). All such transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision 2021/914)
• Adequacy decisions where applicable
• Supplementary technical and organisational measures including encryption and access controls

8. Data Retention

We retain personal data for the following periods:

• Groomer account data: For the duration of the subscription plus 5 years (Spanish tax law — Ley 58/2003 General Tributaria)
• Appointment and payment records: 5 years from the date of the transaction (Spanish tax law requirement)
• Client confirmation data: 24 months from the appointment date, or until the groomer's account is deleted, whichever comes first
• Server logs: 90 days
• Deleted account data: 30 days in read-only state, then permanently deleted

After retention periods expire, data is securely and permanently deleted or irreversibly anonymised. You may request early deletion of your data by contacting hello@groomli.app, subject to our legal retention obligations.

9. Cookies

Groomli uses the following categories of cookies and similar technologies:

• Essential cookies: Required for the platform to function (session authentication, CSRF protection, security tokens). These are strictly necessary and cannot be disabled.
• Analytics: We use privacy-friendly, cookieless analytics (Vercel Analytics and Speed Insights) to understand aggregate, anonymised usage. These do not set tracking cookies and do not identify you or follow you across other sites.
• Marketing cookies (consent required): When you accept marketing cookies, we load the Meta (Facebook) Pixel on our public website. It uses cookies and similar identifiers to measure the performance of our advertising, optimise ad delivery, and build audiences. Data may be shared with Meta Platforms, Inc. and transferred to the USA under appropriate safeguards. The Meta Pixel is not loaded unless and until you consent.

Your choice: on your first visit to our public site we show a consent banner with equally prominent Accept and Reject options. We do not load any non-essential (marketing) cookies before you accept. You can change or withdraw your choice at any time via the "Cookie settings" link in the website footer. Withdrawing consent stops further loading of the Meta Pixel; you can also clear existing cookies through your browser settings. Disabling essential cookies will prevent the platform from functioning correctly.

10. Your Rights Under GDPR

If you are located in the EEA or UK, you have the following rights:

• Right of access (Art. 15): Request a copy of the data we hold about you
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
• Right to erasure (Art. 17): Request deletion of your data, subject to legal retention requirements
• Right to restriction (Art. 18): Request that we limit how we use your data while a dispute is resolved
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON or CSV)
• Right to object (Art. 21): Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing
• Right to lodge a complaint: With the Spanish Data Protection Authority (AEPD) at aepd.es, or with the supervisory authority in your country of residence

To exercise any of these rights, contact us at hello@groomli.app. We will respond within 30 days of receipt. We may ask you to verify your identity before processing the request.

11. Rights of Client Users (Non-EEA)

If you are a client user located outside the EEA (e.g. in the United States):

• California residents: You have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what data we collect, the right to delete your data, and the right to opt-out of the sale of personal information. Groomli does not sell personal information.
• Virginia, Colorado, Connecticut, Texas, and other US states with privacy laws: We honour equivalent rights to access, delete, and correct your personal data upon verified request.
• All US clients: You may contact hello@groomli.app to request access to or deletion of your data. We will respond within 45 days.

12. Data Security

We implement appropriate technical and organisational measures (TOMs) to protect your personal data:

• Encryption in transit: All data is transmitted over HTTPS/TLS 1.2 or higher
• Database security: Row-Level Security (RLS) enforced at the database level — each groomer can only access their own data
• Payment security: Stripe handles all card data under PCI-DSS Level 1 compliance — Groomli never accesses or stores raw card numbers
• Access controls: Access to production data is restricted to authorised personnel only
• Authentication: Secure session management via Supabase Auth with token rotation
• Regular reviews: We review our security practices periodically and update them as needed

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the AEPD within 72 hours of becoming aware, and will notify affected users without undue delay where required by GDPR Art. 34.

13. Data Processing Agreement (Groomer Users)

Under GDPR, when Groomli processes the personal data of your clients on your behalf, Groomli acts as a data processor and you (the groomer) act as the data controller for that client data. This section constitutes the Data Processing Agreement (DPA) between you and Groomli as required by GDPR Art. 28.

13.1 Subject Matter and Duration

Groomli processes client personal data (names, phone numbers, email addresses, appointment details, and Stripe payment tokens) on behalf of the groomer for the purpose of providing the no-show protection service. Processing occurs for the duration of the groomer's subscription.

13.2 Nature and Purpose of Processing

Processing is carried out to: store appointment records, generate confirmation links, process payment card setup, send automated notifications, and charge no-show fees as instructed by the groomer.

13.3 Groomer Obligations as Controller

As the data controller for your clients' data, you agree to:

• Have a lawful basis for sharing client personal data with Groomli (legitimate interests or consent)
• Inform clients that their data will be processed by Groomli for appointment confirmation purposes
• Not instruct Groomli to process client data in any unlawful manner
• Respond to any data subject requests from your clients regarding their data

13.4 Groomli Obligations as Processor

Groomli agrees to:

• Process client data only on documented instructions from the groomer (i.e. the appointments you create)
• Ensure that personnel with access to client data are bound by confidentiality obligations
• Implement the security measures described in Section 12
• Delete or return client data upon termination of the groomer's account
• Assist the groomer in responding to data subject rights requests where technically feasible
• Not engage additional sub-processors beyond those listed in Section 6 without informing groomer users

14. Children's Privacy

Groomli is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at hello@groomli.app and we will delete it promptly.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify groomer users by email at least 14 days before changes take effect and update the "Last updated" date. Continued use of the Service after changes become effective constitutes acceptance. If you do not agree, you may cancel your subscription before the effective date.

16. Contact and Supervisory Authorities

For any questions, rights requests, or concerns regarding this Privacy Policy:

Groomli — Data Controller Operated by: Manuel Frauca (Autónomo, Spain) Email: hello@groomli.app Website: groomli.app

Spanish supervisory authority: Agencia Española de Protección de Datos (AEPD) Website: aepd.es | Phone: +34 912 663 517 | Address: C/ Jorge Juan, 6, 28001 Madrid

EU Online Dispute Resolution: ec.europa.eu/consumers/odr